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Abstract 

This paper describes the security weakness of a recently proposed secure commu- 
nication method based on parameter modulation of a chaotic system and adaptive 
observer-based synchronization scheme. We show that the security is compromised 
even without precise knowledge of the chaotic system used. 



1 Introduction 



In recent years, a growing number of cryptosystems based on chaos have been 
proposed [1], many of them fundamentally flawed by a lack of robustness 
and security. In [2], the author proposes a symmetric secure communication 
system based on parameter modulation of a chaotic oscillator acting as a 
transmitter. The receiver is a chaotic system synchronized by means of an 
adaptive observer. 

In this paper we show how to break the proposed cryptosystem when Lorenz's 
attractor is used as the non-linear time- varying system ([2, §3.2]), which, in 
fact, was the only example explained in detail. Lorenz system is described by 
the following equations: 

Xi = -aiXi + 0-2X2, (1) 

X2 = rxi - X2- X1X3, (2) 
X3 = X1X2 - bxs. (3) 



In the example the system is implemented with the following parameter val- 
ues, ((Ji, (72, r, b) = (10, 10, 28, 8/3). The signal used for synchronization of the 
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receiver is xi. The encryption process is defined by modulating the parameter 
(Ti with the binary encoded plaintext, so that it is o"i + 2.5 if the plaintext bit 
is " 1" and Ui — 2.5 if the plaintext bit is " 0" . The duration of the plaintext bits 
must be much larger than the convergence time of the adaption law. Actually, 
in the example the bit rate is 0.2 bits/second. The uncertain system can be 
rewritten in a compact form as: 
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The decryption process consists of a chaotic system synchronized by means of 
an adaptive observer. The observer-based response system is designed as: 
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The plaintext can be retrieved from the first derivative of the receiver uncer- 
tainty defined as: 

'e^-by{xx-xx) (10) 



The initial conditions of the transmitter and receiver are: (xi(0), X2(0), X3(0)) = 
(10,15,20) and (xi(0), ^2(0), ^3(0), ^(0)) = (0,0,0,0). 

Although the author seemed to base the security of its cryptosystem on the 
chaotic behavior of the output of the Lorenz non-linear system, no analysis of 
security was included. It was not considered whether there should be a key in 
the proposed system, what it should consist of, what the available key space 
would be, and how it would be managed. We discuss the weaknesses of this 
secure communication system in Sec. 2 and in Sec. 3. 
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2 Power analysis attack 



The main problem with this crypt osy stem hes on the fact that the cipher text 
is an analog signal, whose waveform depends on the system parameter values 
and therefore on the plaintext signal, which modulates one parameter. Con- 
sequently, the plaintext signal may be recovered from the transmitted signal 
power. Fig. 1 shows the Lorenz chaotic attractor for the different values of 
the parameter ai proposed by the author, making apparent the strong depen- 
dence of waveforms from the plaintext. In Fig. 1 (a) and (b) the attractor 
corresponding to cti = 7.5 and to Ui = 12.5 are shown, respectively. We can 
observe that the signal amplitudes are quite different. In Fig. 1(c) the attractor 
trajectory corresponding to a modulation of the ai parameter between 7.5 and 
12.5 is shown. We can observe that the resulting trajectory is the superposi- 
tion of the two preceding trajectories, although both are clearly recognizable, 
allowing the easy separation of each other. 



To break the system we have implemented the chaotic transmitter of the 
author's example with the same parameters values and initial conditions. The 
simulation is identical to the one employed in the original example, a four 
order Runge-Kutta integration algorithm in MATLAB 6. A step size of 0.001 
was used. 



To recover the plaintext we used no chaotic receiver, instead we computed 
the short time power analysis of the ciphertext. The procedure is illustrated 
in Fig. 2. The first step consists of squaring the ciphertext signal, Xi. Next, 
this signal is low-pas filtered and, finally, binary quantized. The low-pass filter 
employed is a four pole Butterworth with a frequency cutoff of 0.5 Hz. The 
quantizer is an inverting Smith-trigger with switch on point at 80 and switch 
off point at 50. 



The result is a good estimation of the plaintext, with tiny inaccuracies con- 
sisting of small delays in some transitions. Note that the short initial error 
was also present at the beginning of the retrieved signal obtained with the 
authorized receiver described in the author's example. 



It should be emphasized that our analysis is a blind detection, made without 
the least knowledge of what kind of non-linear time- varying system was used 
for encryption, nor its parameters values, and neither its keys, if any. 
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3 Generalized Synchronization attack 



A more precise signal retrieving of the plaintext can be performed if we know 
what kind of non-linear time- varying system was used for encryption, but still 
without the knowledge of its parameter and initial condition values. 

We have implemented another attack by means of an intruder receiver based 
on generalized synchronization [3] , fairly simpler than the authorized receiver. 
We use the following receiver: 
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The plaintext recovery procedure consists of the estimation of the short time 
cross correlation between the ciphertext and the recovery error. It is illustrated 
in Fig. 3. The first step consists of calculating the synchronization error of the 
receiver Axi = Xi — Xi. Next the synchronization error Axi is multiplied 
by the ciphertext Xi. Then this signal is low-pass filtered. Finally, a binary 
quantizer is used to regenerate the plaintext. The low-pass filter employed is a 
four pole Butterworth with a frequency cutoff of 0.5 Hz. The binary quantizer 
is a Smith-trigger with switch on point at 11 and switch off point at 9. 

We have found that the sensitivity to the parameter values is so low that the 
original plaintext can be recovered from the ciphertext using a receiver system 
with parameter values considerably different from the ones used by the sender. 
The parameter values can be obtained with a very accurate precision by means 
of the trial and error procedure varying them in an effort to approximate the 
filter output signal to a square wave. However, their exact knowledge is not 
necessary to recover the plaintext, as already illustrated in Fig. 3. 

The approximate range of parameter values that causes a chaotic behavior of 
the Lorenz oscillator is: 



(71 = {4, 14}, 
(J2 = {8,30}, 
r = {24,90}, 
b = {1.5,4.5}. 



(12) 
(13) 
(14) 
(15) 



Actually, wc have selected for our implementation, represented in Fig. 3, the 
central value of each of the preceding parameter ranges, that is: (cti, ct2, r, b) — 
(9, 19, 66, 3), with initial conditions (£i(0), 0:2(0), £3(0), ^(0)) = (0, 0, 0, 0). 
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4 Conclusions 

The proposed cryptosystem is rather weak, since it can be broken without 
knowing its parameter values and even without knowing the transmitter pre- 
cise structure. There is no mention about what the key is, nor which is the key 
space, a fundamental aspect in every secure communication system. The total 
lack of security discourages the use of this algorithm for secure applications. 
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Figure captions 




Fig. 1. Lorenz attractor with different parameter values: (a) ui = 7.5; (b) ui = 12.5, 
(c) cJi is switclied between 7.5 and 12.5 by tlie plaintext. 




Fig. 2. Power signal attack: (a) plaintext; (b) ciphertext, xi; (c) squared ciphertext 
signal, xi; (d) low pass filtered squared ciphertext signal; (e) recovered plaintext. 
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Fig. 3. Generalized Synchronization attack: (a) plaintext; (b) ciphertext, xi; (c) 
signal generated by the intruder's receiver, xi; (d) synchronization error of the 
intruder's receiver, Axi = xi — xi; (e) ciphertext multiplied by synchronization 
error, xi ■ Axi; (f) low-pass filtering of (e); (g) recovered plaintext. 
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